Archive

The awareness of using strong passwords has significantly improved over the last few years thanks to the efforts taken by many security organizations and websites. Even a lay-man today knows that it’s important to have a strong password to thwart hacking attempts.

Unfortunately, these organizations and websites fail to mention that security of a member’s account is the responsibility of the user AND the organization that stores the password. As a result, whenever hundreds to thousands of passwords are stolen by hackers, some website managers find it convenient to blame the users for the password theft. Although mass password thefts are generally caused by phishing (in which case the user is at fault), a small percentage of it is caused by stealing or hacking the website database. Sometimes, organizations release member information to third-party companies or partner websites, which is fine as long as they take certain safety measures. As you can imagine, not everyone does this which means that the host website is also a potential point of failure.

I shall explain by providing a couple of examples and shall conclude with a test procedure that you can use to detect if a website is storing your passwords securely.

Please note that this article is only concerned with password storage and ignores security measures and breaches due to other factors.

Eg1 : Plain, Simple and Visible

This technique stores all data in plaintext. Hence, all the passwords and data are visible to anyone who has access to the database table. You don’t even need to hack the database to gain access to such information. Some employees of the organization storing this data have access to the database legally and can steal passwords if they wish. Although it’s fairly obvious that storing data in plaintext is asking for trouble, it’s popular among students and other people due to the ease of implementation.

Areas where this technique is prevalent:

Web applications written by students.

Websites belonging to Small and Medium Businesses (SMB).

Websites of startups. (Hardly any startups do this anymore which is a good sign)

Eg2 : Secure Passwords, Open Data

Passwords, in this case, are stored as a computed one-time hash. This prevents them from being reversed into their original form and in essence, protects the password from being recovered in the event of a security breach. Employees who have genuine access to the database can view your data but have no idea about your password. This is desirable in certain situations where member information needs to be visible to the employees as the password remains a secret known only to the member.

Areas where this technique is prevalent:

Web applications written by (smarter) students.

Startups and other SMBs.

Online Forums.

Eg3: Secure Data and Passwords

In this case, only the primary key is left unencrypted while every other field is encrypted using a reasonably long key. This makes locating entries in the database easy and protects the user’s information. Partner websites do not have direct access to the data and instead use intermediate accessor-functions to access data. A database hack would still protect user information unlike the previous methods.

There are several variations that are more secure which employ various techniques such as:

Encrypt everything and use lookup tables with hashes to access data.

Distribute data across multiple databases.

Distribute data across multiple databases that use different encryption schemes.

…many many more which are far more complex and more secure by several degrees…

Areas where this technique is prevalent:

Banks

e-commerce Websites

Government and Military Organizations

Aside from these techniques, there’s an interesting myth on which I’d like to throw some light.

Websites that use HTTPS

A website that uses HTTPS using SSL/TLS only guarantees that data transmission between the user and the website cannot be intercepted by eavesdropping attacks. This does not say anything about how the data is stored at server-side. Hence, data stored on a website that uses the HTTPS protocol is still unsecure if it employs the storage method demonstrated in Example1.

How to Find Out If a Website Stores Your Password in Plaintext?

Follow these simple steps to find out if a website hashes your password or not.

Register as a new member on the website in question. If you already have an account, skip this step.

Click ‘Forgot Password’ on the login page of the website.

Follow the instructions to recover your password. (usually you would enter your email address or answer your secret question depending on the website)

If your old password is revealed on screen or in the ‘password recovery’ email, the password is stored in plain-text, which means your password can be stolen in the event of a server-side security breach.

If you are asked to click a ‘Password Reset’ link or enter a new password directly (this is website-dependent), the website stores your password as a hashed value and your password is safe from being stolen if the website gets hacked. (In this case, your old password can’t be shown to you because a hashed value cannot be converted into its original form)

I hope this article has helped you realize that having a strong password is pointless if the website that you use it for stores it in plaintext.

Update:rootkit.com got hacked on March 3rd, 2011 (see here and here) and had all its users’ account passwords stolen since all the user passwords were stored in plaintext. It’s disappointing that someone as accomplished as Greg Hoglund (whose book on Rootkits still remains one of my favourites) used passwords stored as plaintext on his website. A security firm headed by a security researcher making such a basic mistake is simply unforgivable. I hope you won’t make the same mistake.
Update:Microsoft India got hacked on February 12th, 2012 and had all user account passwords stolen (see here) because they were stored in plaintext. One would think that at least Microsoft would know how to store passwords. Sigh.

We’ve all heard of one-way Hash Functions sometime or the other.
Most of us have heard about them from books.
An Algorithm’s explanation is usually followed by its applications and most books mention only one major application (in security) ie. implementing password checks and storing them in a database.

I used to wonder:”That’s it? One Application in Security?”, and searching on the internet (and some more books) didn’t help either.

Luckily, I’ve finally found my answers. Now, I’m able to appreciate one-way Hash functions a lot more because I’ve seen it in action. If I had read this application in a book I’m sure that I wouldn’t have realized its importance.

A few days ago, Nokia Corporation issued a notice to all customers that some of its BL-5C Model Batteries had some manufacturing defects which could cause it to explode. It asked customers to check if their batteries were manufactured between December 2005 and November 2006 and if so, get the battery replaced for free.

Nokia also allowed its customers to type in their 26 Character Battery Code on their website (www.nokia.com/batteryreplacement) to see if their battery was faulty or not.

I decided to check the script which finds out when the battery was manufactured. I thought that by looking at the source code, I could figure out exactly which batteries were faulty.

This code is awesome because, even after reading the source code, nobody can figure out which models are faulty. At the most what we can understand is that Battery Information (Date of Manufacture, Location of Manufacture) is present between the 8th and 17th characters. The characters between 18 and 26th positions could hold the amount of batteries manufactured by the factory before the current unit. We also know that the battery is faulty for some 334 combinations of characters between the 14th and 17th positions. But having this knowledge is futile.

Hence by using a one-way Hash Algorithm (MD5 in this case), we can hide such information (factory codes of factories which manufactured the faulty batteries) even in the source code. This way we can protect such vital information from being stolen by anyone even if he has access to the complete source code, and this according to me is one of the most brilliant applications of One-way Hash functions.